Anonymous vs. HBGary: the aftermath

[nsane.forums]

The RSA security conference took place February 14-18 in San Francisco, and malware response company HBGary planned on a big announcement. The firm was about to unveil a new appliance called "Razor," a specialized computer plugged into corporate networks that could scan company computers for viruses, rootkits, and custom malware—even malicious code that had never been seen before.

Razor "captures all executable code within the Windows operating system and running programs that can be found in physical memory," said HBGary, and it then "'detonates' these captured files within a virtual machine and performs extremely low level tracing of all instructions." Certain behaviors—rather than confirmed signatures—would suggest the presence of malware inside the company.

The HBGary team headed over early to the RSA venue at the Moscone Center in order to set up their booth on the exhibition floor. Nerves were on edge. A week before, HBGary and related company HBGary Federal were both infiltrated by members of the hacker collective Anonymous, which was upset that HBGary Federal CEO Aaron Barr had compiled a dossier of their alleged real names. In the wake of the attack, huge batches of sensitive company e-mail had been splashed across the 'Net. HBGary employees spent days cleaning up the electronic mess and mending fences with customers.

On the RSA floor, a team put together the HBGary booth and prepared for the Razor announcement. CEO Greg Hoglund prepped his RSA talk, called "Follow the Digital Trail."

At RSA: "Anon: In it 4 the lulz..."

The HBGary team left for the night. When they returned the next morning, the opening day of the conference, they found a sign in their booth. It was from Anonymous.

"We had a lot to think about," HBGary's Vice President of Services, Jim Butterworth, told Ars. "We had just spent the previous week trying to clean things up and get ourselves back to normal, harden our systems, [and we] continued to hear the telephone calls and the threats—and I will add, these are very serious threats."

Now, with the appearance of the note in their RSA booth, the team felt not just electronically exposed; they felt physically threatened and stalked. "They decided to follow us to a public place where we were to do business and make a public mockery of our company," Butterworth said. "Our position was that we respected RSA and our fellow vendors too much to allow this spectacle to occur."

Instead, HBgary Inc. pulled out of the conference. ZDNet journalist Ryan Naraine snapped a photo from the show floor:

HBGary's withdrawal note ZDNet

The attacks continue

On Sunday, February 6, the electronic assault had begun in earnest. As America sat down to watch the Super Bowl kickoff, five "members" of Anonymous infiltrated the website of security firm HBGary Federal. They had been probing HBGary Federal and related firm HBGary Inc. since Saturday, but on Sunday they struck gold with an SQL injection attack on HBGary Federal's content management system.

They quickly grabbed and decrypted user passwords from the website, which they used to move into HBGary Federal's hosted Google e-mail. By the time the attack was through, the hackers had compromised HBGary Federal's website, deleted its backup data, took over Greg Hoglund's rootkit.com site, and locked both companies out of their e-mail accounts by changing the passwords.

While HBGary Federal was truly "hacked," HBGary Inc. was not; attackers simply used existing usernames and passwords to access key systems. HBGary had in fact hardened its Web defenses, fully patching them on the Thursday before the attack began in anticipation of some unpleasantness. Butterworth told Ars that the company was able to bring down its compromised offsite Web servers within 42 minutes of the attack's beginning. (He also confirmed the accuracy of our earlier exclusive report on how Anonymous penetrated the two companies.)

Over the last week, this part of the story became well known. What was not visible outside the hallways of HBGary's Sacramento offices, however, was just how long the attacks continued. Indeed, although the electronic assault stopped soon after it began, the harassment has yet to end.

Butterworth sounded tired as he recounted the days for us—when we spoke, 17 had passed since the initial attack. Since then, HBGary has been flooded with phone calls and voicemails of the "you should be ashamed of yourself" type and worse; the fax machines have been overwhelmed with Anonymous outpourings; people have been "directly threatening our employees with extortion"; threats have been made. Then came RSA.

Butterworth, with a long career in military signals intelligence and private security firms, is no stranger to the dark world of cyberattacks, but he's used to adversaries who retreat after an electronic strike.

Instead, he believes that Anonymous has "decided to continue their antics. They're in it for the laughs… this is a real funny game for them." Not content with the damage they have inflicted, they "harass a company that's trying to get back to work." Each time a new story about the company appears in the press, Butterworth said that these attacks spike again.

"Millions in damages"

The fallout from the whole debacle endures. In the wake of the attack, HBGary's Penny Leavy and Greg Hoglund (they are married) entered the Anonymous IRC channel #ophbgary to plead in vain for Greg's e-mails to stay private. (Several less relevant remarks have been removed from the transcript for easier reading.)

<+greg> so you got my email spool too then

<&Sabu> yes greg.

<@`k> greg we got everything

<+Agamemnon> Greg, I'm curious to know if you understand what we are about?

Do you understand why we do what we do?

<+greg> you realize that releasing my email spool will cause

millions in damages to HBGary?

<@`k> yes

<+c0s> greg: another reason its not out yet.

<+Agamemnon> yes we do greg

<@`k> greg is will be end of you :) and your company

Asked if HBGary has in fact seen a financial impact from the Anonymous attack, Butterworth would only say, "Time will tell." He did admit that the hack had an impact on the company—"the tainting of a brand name, a company that has a very good product"—and that "we've received indications that folks are having second thoughts" about working with the firm.

The company also had to devote nearly a week of its time to performing client notification, a job that must've been anything but pleasant. And Butterworth has been tasked with overseeing HBGary's internal forensic investigation into the attack. He hopes to compile enough information to eventually prosecute those responsible.

"A lot of federal crime has been committed," he said.

Despite the fact that the attackers hid themselves behind Tor software and proxy servers, he believes the company stands a "very good chance" of catching the perpetrators.

But what has the attack meant for Anonymous, HBGary Federal's Aaron Barr, the security companies linked with Barr's ideas?

Anonymous

For Anonymous, the most obvious result of the hack was publicity, glorious publicity. The attack has been covered in every outlet from Ars to the BBC and back again, though the group was unbelievably lucky to stumble on a cache of e-mails involving dirty tricks against WikiLeaks and using intelligence assets against pro-union websites. Without those revelations, the hack and e-mail release might have looked far more self-interested—Anonymous protecting its mask.

Why have the attacks on HBGary Inc. continued? We spoke to people with knowledge of the initial Anonymous hack. All have denied the existence of continuing operations against HBGary and note that the IRC channel used for coordination, #ophbgary, has been shuttered; most expressed disbelief that these attacks are even happening.

We asked HBGary for a copy of some of the faxes received at its offices, but were told that the fax machines had been turned over to the authorities as part of the investigation. HBGary did pass along a representative e-mail that an employee received last week (all header information has been removed):

Subject: Security Problem

loooooooooooooooooool

owned by anonymous. niiiice.

hope your strategy wont work and ppl of this planet will become free

without beeing surpressed or monitored.

shame on you for your "business" - it is ppl like you who try to stop

human revelation all in the name of allmighty america.

nice to see you failing hard and getting exposed yourself. how does it

feel, suckers ?

i am looking forward to see your next fail.

greets

one of your monitored sheep that actually dont like to be monitored.

ps: please do us (the human race that is not trying to be nazis like

you) a favor and get aids and die slow and painfull,

thanks in advance.

The real impact of the attacks on Anonymous may not be felt for months, or even years. HBGary says it is working with the authorities on the case, and one presumes that the FBI is interested in busting those responsible. The FBI has previously arrested those associated with mere denial of service attacks, and it recently executed 40 search warrants in connection with Anonymous' Operation Payback.

In a press release regarding the search warrants, the FBI reminded Anonymous that "facilitating or conducting a DDoS [Distributed denial of service] attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability."

Butterworth, who touted his own (lengthy) list of advanced security credentials during our call, told us that based on his investigation so far, the Anonymous "operational security was not that good… they're pretty dirty."

If he's right, the Anonymous attack, so far free of consequences, might end with some serious ones indeed.

Palantir

Those consequences have already been felt at the link analysis firm Palantir, based in Silicon Valley. The company was part of "Team Themis," a group comprised of Palantir, Berico, and HBGary Federal, which got involved with the DC law firm Hunton & Williams. Hunton & Williams was looking for ways to help the US Chamber of Commerce, and later a major US bank, deal with troublesome opponents (pro-union websites and WikiLeaks, respectively.)

As a member of Team Themis, Palantir became part of Aaron Barr's plans to go after WikiLeaks, put pressure on commentators like Salon.com's Glenn Greenwald, and set up a surveillance cell for the Chamber of Commerce. No one in the e-mails that we saw objected to any of the proposed ideas.

Palantir adopting Barr's ideas about WikiLeaks

When news of the proposals came out, Palantir said it was horrified. Dr. Alex Karp, the company's CEO, issued a statement: "We make data integration software that is as useful for fighting food borne illness as it is to fighting fraud and terrorism. Palantir does not make software that has the capability to carry out the offensive tactics proposed by HBGary. Palantir never has and never will condone the sort of activities recommended by HBGary. As we have previously stated, Palantir has severed all ties with HBGary going forward."

As we noted in our initial report on the situation, several of the key ideas had come from Aaron Barr—but they were quickly adopted by other team members, including Palantir. I asked the company for more information on why Barr's ideas had shown up in Palantir-branded material. The company's general counsel, Matt Long, supplied the following answer:

We did make a mistake—one of a fast growing company with lots of decentralized decision making authority. Initial results of our ongoing internal diagnostic show that a junior engineer allowed offensive material authored by HBGary to end up on a slide deck with Palantir's logo. The stolen emails conclusively show that Aaron Barr from HBGary authored the content which was collated well past midnight for an early morning presentation the next day. This doesn't excuse the incident, but hopefully it brings much needed context to a context-less email dump.

That junior engineer, a 26-year-old, has been put on leave while his actions are being reviewed.

"We should have cut ties with HBGary sooner and raised internal concerns about this sooner," Long told me. "This is a huge mistake for sure; we aren't making excuses. But our company never approved hacking or carrying out dirty tricks on anyone."

As for the engineer's e-mail in which he said that the Team Themis project "got approval from Dr. Karp and the Board" on a new revenue sharing plan, Long said that it was simply "classic salesmanship ('I need to get my manager's permission for that. I really argued hard for you and got you this deal'). In our case we don't have sales people so it is very transparent/obvious coming from a 26-year-old engineer. Dr. Karp and the Board did not know about the specifics of the proposal—including pricing."

Berico

Berico, one of the three companies involved with Team Themis, initially promised a response to our questions about its handling of the situation. The company later changed its mind and declined to comment.

Berico did issue one public statement back on February 11, saying that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."

The company added that it was "conducting a thorough internal investigation to better understand the details of how this situation unfolded and we will take the appropriate actions within our company."

Aaron Barr

HBGary Federal was in the process of selling itself after the company couldn't meet revenue projections and had difficulty paying taxes and salaries. On January 19, Penny Leavy (the largest single investor in HBGary Federal) suggested in an e-mail to Aaron Barr that he give the two companies considering a purchase a set of deadlines. Under her projected scenario, the two firms would bid on February 4 and HBGary Federal would make a final decision on February 7. On February 6, Anonymous attacked.

What happened to Barr? Anonymous loudly and angrily demanded that Penny Leavy fire him, since his list of Anonymous names could allegedly have gotten "innocent people" into serious trouble. Leavy made clear that HBGary Federal was a separate company from HBGary, one in which she owned only a 15 percent stake, and that she couldn't simply "fire" the CEO.

Barr, too, had a stake in HBGary Federal. He couldn't just be fired—but he told Ars that he has taken a leave of absence from the company in order to focus on some other things.

When he finally regained control of his Twitter account last week, Barr's first new message since the attack said just about all there was left to say: "My deepest personal apology to all those that were negatively affected by the release of my e-mail into the public."

View: Original Article

[irefay]

Yeah, btw I talked to a banking exec over a year ago. She mentioned that they knew how track people dispute the use of anonomizers. Just FYI. I am sure the techniques used will eventually become public and then new methods will be developed, but for now, play as if you can be tracked. Disposable hardware which has little to no ability to be traced back to you... pay in cash at a store with no cameras.

[toyo]

Text of Aaron Barr's email:

From: Aaron Barr

Content-Type: multipart/signed; boundary=Apple-Mail-482-7348960; protocol="application/pkcs7-signature"; micalg=sha1

Subject: You can't protect stupid

Date: Mon, 12 Jul 2010 15:17:39 -0400

Message-Id:

Cc: Ted Vera ,

Rich Cummings

To: Greg Hoglund

Mime-Version: 1.0 (Apple Message framework v1081)

X-Mailer: Apple Mail (2.1081)

[snip]

Night Hacker Online

Learning Python 2.6

******

HF l33t Posts: 121

Joined: Jun 2010

Reputation: 1

Hi all I have decided to create a quick basic straight to the point TUT on a bit of Social Engineering, this is something that I use and it's handy if you are using a free Public Crypter and it only leaves your server FUD for a small amount of time.

Ok so first things first I go straight to a chat room such as 321.com so sign up with a good name e.g. Naughty Vicky get a good photo to use from MySpace of a nice looking chick save it to your computer, also remember to leave your msn your using in the profile you create so the victims can simply add you from there. So now go to the Teen chat you will get about 20-30 boxes pop up with questions such as ASL please now just copy and paste this …

[N.B.: ASL refers to Age, Sex, Location]

They say ASL now just copy and paste it in each box you will have about 20 Victims asking you.

Hey there 16 straight and naughty ive got some nice pictures add me it's (put your email)

Copy this above ^ into the 321 in each Victims chat box then wait tell they add you on your msn

Copy and paste this into your victims msn chat from your fake msn when you have added them.

Hey heres the pictures please don't spread them though ok as don't want the whole world seeing them ;) also you might need to take your crappy Antivirus off as msn picks up everything enjoy Tongue

Remember as well don't bother chatting to them for ages it's pointless it only puts them off in the long run, my trick is to simply go from one to the next if they moan block them and move one. "Try to sound as legit as possible" by adding smiley faces Tongue etc. If you do this you seem more like a chick and that is what you want "

Well that is pretty much what I use for sniping my victims this is just a simply basic TUT for any new members that might be finding it hard to spread servers etc… Thumbsup

Aaron Barr

CEO

HBGary Federal Inc.

Here is Greg Hoglund's response:

Delivered-To: [email protected]

Received: by 10.224.36.193 with HTTP; Mon, 12 Jul 2010 16:10:50 -0700 (PDT)

In-Reply-To:

References:

Date: Mon, 12 Jul 2010 16:10:50 -0700

Message-ID:

Subject: Re: You can't protect stupid

From: Greg Hoglund

To: Aaron Barr

Cc: Ted Vera , Rich Cummings

–001517503cc81020d8048b38ddc8

Content-Type: multipart/alternative; boundary=001517503cc81020d4048b38ddc7

–001517503cc81020d4048b38ddc7

Content-Type: text/plain; charset=windows-1252

Content-Transfer-Encoding: quoted-printable

Thats fucking brilliant.

-G